SNMP safe?

Discussion in 'Cisco' started by thefunnel@aol.com, Jul 13, 2005.

  1. Guest

    Hi,

    If I configure a SNMP community on a Cisco switch for remote
    management,

    Say,

    "paul" with read write.

    Is that switch vulnerable to anyone guessing the SNMP community name?

    In the SNMP config I see no way of securing SNMP - only by community
    name.

    What is the usual practice for configuring SNMP on network devices?
    Should I be choosing long and cryptic SNMP community names? Even then
    am I completely protected? This seems a very powerful tool to only be
    protected by the equivalent of a workgroup name. The community name
    also seems to be in plain text on all config pages.

    Thanks

    Paul
     
    , Jul 13, 2005
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > Hi,
    >
    > If I configure a SNMP community on a Cisco switch for remote
    > management,
    >
    > Say,
    >
    > "paul" with read write.
    >
    > Is that switch vulnerable to anyone guessing the SNMP community name?
    >
    > In the SNMP config I see no way of securing SNMP - only by community
    > name.
    >
    > What is the usual practice for configuring SNMP on network devices?
    > Should I be choosing long and cryptic SNMP community names? Even then
    > am I completely protected? This seems a very powerful tool to only be
    > protected by the equivalent of a workgroup name. The community name
    > also seems to be in plain text on all config pages.
    >
    > Thanks
    >
    > Paul
    >

    You can protect the switch somewhat with an ACL, or put the management
    address in a VLAN that Joe Public can't get to.

    BL

    --
    "Americans always try to do the right thing - after they've tried everything
    else."
    - Winston Churchill (1874 - 1965)
     
    Buzz Lightbeer, Jul 13, 2005
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    :If I configure a SNMP community on a Cisco switch for remote
    :management,

    :Is that switch vulnerable to anyone guessing the SNMP community name?

    Yes, certainly, if you are using SNMP versions 1 or 2.

    SNMP v1 and v2 send the community "in the clear" so anyone who can
    sniff can read off the community. This is a particular problem if you
    are using some kind of device discovery program that sweeps your
    network looking for devices and probing them via SNMP to figure out
    what they are and (e.g.) what interfaces they have -- if you are doing
    a sweep like that, then every device on your net will be sent the SNMP
    community "in the clear" if you are using v1 or v2 .

    :In the SNMP config I see no way of securing SNMP - only by community
    :name.

    :What is the usual practice for configuring SNMP on network devices?

    Use SNMP v3, which has a few security levels, including encrypting the
    password.
    --
    Usenet is like a slice of lemon, wrapped around a large gold brick.
     
    Walter Roberson, Jul 13, 2005
    #3
  4. blackice Guest

    A few tips:
    - Use a proper ACL to restrict access and a complex community string
    - Use SNMP version 3 if possible so that the credentials are
    encrypted
    - Restrict access to certain OIDs with an SNMP view

    i think Cisco has a whitepaper on securing SNMP, check out CCO.

    On 13 Jul 2005 14:33:44 -0700, "" <>
    wrote:

    >Hi,
    >
    >If I configure a SNMP community on a Cisco switch for remote
    >management,
    >
    >Say,
    >
    >"paul" with read write.
    >
    >Is that switch vulnerable to anyone guessing the SNMP community name?
    >
    >In the SNMP config I see no way of securing SNMP - only by community
    >name.
    >
    >What is the usual practice for configuring SNMP on network devices?
    >Should I be choosing long and cryptic SNMP community names? Even then
    >am I completely protected? This seems a very powerful tool to only be
    >protected by the equivalent of a workgroup name. The community name
    >also seems to be in plain text on all config pages.
    >
    >Thanks
    >
    >Paul
     
    blackice, Jul 13, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oliver Schlosser

    tacacs+ snmp accouning

    Oliver Schlosser, Jul 6, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,800
  2. news.easynews.com

    SNMP - Cisco - SNMP

    news.easynews.com, Mar 4, 2004, in forum: Cisco
    Replies:
    0
    Views:
    833
    news.easynews.com
    Mar 4, 2004
  3. English Patient
    Replies:
    3
    Views:
    1,931
    Old Gringo
    Oct 4, 2004
  4. Soapy
    Replies:
    1
    Views:
    704
    The Magnificent Bastard
    Aug 16, 2004
  5. Soapy
    Replies:
    1
    Views:
    770
    Steve Leyland
    Aug 16, 2004
Loading...

Share This Page